Port 27017 (MongoDB)

Q: How do I enable MongoDB authentication on port 27017?

Create an admin user with db.createUser(), then enable authentication by adding 'security.authorization: enabled' in mongod.conf (or --auth flag). Use SCRAM-SHA-256 for password authentication and x.509 certificates for TLS client authentication. Always create application-specific users with minimal required privileges.

Q: How do I check if port 27017 is open?

Use 'nmap -sV -p 27017 hostname' to scan remotely and detect MongoDB version, 'mongosh --host hostname --port 27017' to test MongoDB connectivity, 'ss -tlnp | grep 27017' to check locally on Linux, or 'Test-NetConnection -ComputerName hostname -Port 27017' in Windows PowerShell.

Q: How do I change MongoDB's default port from 27017?

Set 'net.port: 27018' in mongod.conf or use the --port flag when starting mongod. Update your firewall rules, connection strings, and replica set configuration to use the new port. While changing the port provides security through obscurity, it should not be your only security measure.

What is Port 27017?

Port 27017 is the default TCP port for MongoDB, the world's most popular NoSQL document database. MongoDB stores data as flexible JSON-like documents (BSON format), making it ideal for applications with evolving data schemas, real-time analytics, content management systems, and IoT platforms.

MongoDB on port 27017 accepts client connections using the MongoDB wire protocol, a binary protocol optimized for efficiency. Through this port, applications perform CRUD operations, run aggregation pipelines, manage indexes, execute administrative commands, and stream real-time changes via change streams.

MongoDB supports replica sets for high availability (automatic failover), sharding for horizontal scaling across multiple servers, and transactions for multi-document ACID operations. All of these features communicate over port 27017 by default, though shard servers and config servers use different default ports.

Critical Warning: MongoDB with default settings (no authentication, bound to 0.0.0.0) has led to over 100,000 database breaches. The 2017 ransomware wave targeting open MongoDB instances demonstrated the devastating consequences of misconfiguration. Always enable authentication and restrict network binding before deploying to production.

MongoDB Ports: 27017 vs 27018 vs 28017

Port	Service	Description
27017	mongod (default)	Standalone instance, replica set members
27018	mongod --shardsvr	Shard server members in a sharded cluster
27019	mongod --configsvr	Config servers storing cluster metadata
27020	mongos (common)	Query router for sharded clusters
28017	HTTP interface (legacy)	Web status page (removed in MongoDB 3.6)

In a sharded cluster, clients connect to mongos routers (port 27017 or 27020), which route queries to the appropriate shard servers (27018). Config servers (27019) store metadata about chunk distribution. Each component can be configured to use custom ports via net.port in mongod.conf.

Common Uses of Port 27017

Standalone Instances: The simplest MongoDB deployment uses a single mongod process on port 27017. Suitable for development, testing, and small applications that don't require high availability.

Replica Sets: For production deployments, MongoDB uses replica sets with a primary and multiple secondary members, all communicating on port 27017. The primary accepts writes, secondaries replicate data for failover. Replica set members use the same port for both client connections and internal replication heartbeats.

Application Connections: Drivers for Node.js, Python (PyMongo), Java, Go, and other languages connect to port 27017 using connection strings like mongodb://hostname:27017/database. MongoDB Atlas (cloud) also uses port 27017 for cluster connections.

MongoDB Compass & mongosh: The official GUI tool (Compass) and command-line shell (mongosh) connect to port 27017 by default for database administration, query building, and performance analysis.

Monitoring Tools: Tools like MongoDB Cloud Manager, Ops Manager, Prometheus exporters (mongodb_exporter), and Datadog integrate with port 27017 to collect metrics on query performance, replication lag, and resource usage.

Port 27017 Security

Authentication: Enable authentication with security.authorization: enabled in mongod.conf. Use SCRAM-SHA-256 (default in MongoDB 4.0+) for password-based auth. Create an admin user first, then application-specific users with the minimum required roles (readWrite on specific databases, not root).

Network Binding: Configure net.bindIp: 127.0.0.1,192.168.1.10 to restrict which interfaces MongoDB listens on. Never use 0.0.0.0 in production without proper firewall rules. MongoDB 3.6+ defaults to localhost-only binding.

TLS/SSL Encryption: Enable TLS for all connections with net.tls.mode: requireTLS and provide certificate files. This prevents eavesdropping on queries and data in transit. Use x.509 certificates for client authentication in high-security environments.

Known Vulnerabilities: Notable MongoDB CVEs include CVE-2013-1892 (nativeHelper BSON injection), CVE-2015-7882 (authentication bypass via SCRAM-SHA-1), and CVE-2024-6384 (queryable encryption range validation). Always run the latest patch version and subscribe to MongoDB security advisories.

Audit Logging: Enable the audit log with auditLog.destination: file (Enterprise) to track authentication events, CRUD operations, and configuration changes. For Community edition, use operationProfiling and MongoDB's built-in logging.

Firewall Rules: Restrict port 27017 access to only application servers and administrators. Use iptables, security groups, or cloud-native firewalls. Block all inbound traffic to 27017 from the public internet.

Configuring MongoDB on Port 27017

mongod.conf (Basic Secure Setup)

# /etc/mongod.conf
net:
  port: 27017
  bindIp: 127.0.0.1,192.168.1.10
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/ssl/mongodb.pem
    CAFile: /etc/ssl/ca.pem

security:
  authorization: enabled

storage:
  dbPath: /var/lib/mongodb
  journal:
    enabled: true

Creating Admin & Application Users

// Connect without auth first, then create admin:
use admin
db.createUser({
  user: "adminUser",
  pwd: passwordPrompt(),
  roles: ["userAdminAnyDatabase", "readWriteAnyDatabase"]
})

// Create app-specific user with minimal privileges:
use myapp
db.createUser({
  user: "appUser",
  pwd: passwordPrompt(),
  roles: [{ role: "readWrite", db: "myapp" }]
})

Replica Set Configuration

# Add to mongod.conf on each member:
replication:
  replSetName: "rs0"

# Then initiate from mongosh:
rs.initiate({
  _id: "rs0",
  members: [
    { _id: 0, host: "mongo1:27017" },
    { _id: 1, host: "mongo2:27017" },
    { _id: 2, host: "mongo3:27017" }
  ]
})

Firewall Rules

iptables: iptables -A INPUT -p tcp --dport 27017 -s 192.168.1.0/24 -j ACCEPT
UFW: ufw allow from 192.168.1.0/24 to any port 27017
firewalld: firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="27017" protocol="tcp" accept'
AWS: Security Group: allow TCP 27017 from application server SG only

How to Check Port 27017

Remote Scanning

To check if port 27017 is open on a remote host:

nmap: nmap -sV -p 27017 hostname — detect MongoDB version
mongosh: mongosh --host hostname --port 27017 — test MongoDB connectivity
netcat: nc -zv hostname 27017 — quick TCP connection test
PowerShell: Test-NetConnection -ComputerName hostname -Port 27017

Local Listening Check

To check if port 27017 is listening on your local machine:

Linux: ss -tlnp | grep 27017 or netstat -tlnp | grep 27017
macOS: lsof -i :27017
Windows: netstat -an | findstr 27017
MongoDB status: mongosh --eval "db.serverStatus().network"

You can also use our Port Scanner tool to check port 27017 on any host directly from your browser.

Troubleshooting Port 27017

Connection refused: MongoDB is not running or not bound to the expected interface. Check with systemctl status mongod and verify net.bindIp in mongod.conf includes the target IP. Review logs at /var/log/mongodb/mongod.log.

Authentication failed: Verify credentials and authentication database. Connect with mongosh -u user -p --authenticationDatabase admin. Check that security.authorization is enabled and the user has the required roles.

Connection timeout: A firewall is blocking port 27017. Check iptables/security groups. For cloud deployments, verify VPC peering, subnet routing, and security group ingress rules allow traffic on 27017.

Replica set connection issues: Ensure all replica set members can reach each other on port 27017. Verify DNS resolution for hostnames used in rs.conf(). Check that replication.replSetName matches across all members.

Port already in use: Another mongod instance or process is bound to 27017. Find it with ss -tlnp | grep 27017 (Linux) or netstat -an | findstr 27017 (Windows). Stop the conflicting process or change the port in mongod.conf.

TLS handshake failures: Certificate mismatch or expired certificates. Verify with openssl s_client -connect hostname:27017. Check that the CA certificate is trusted by all clients and that the server certificate's CN/SAN matches the hostname.

Related Ports

Frequently Asked Questions

What is port 27017 used for?

Port 27017 is the default TCP port for MongoDB, the most popular NoSQL document database. It accepts client connections for CRUD operations, aggregation pipelines, replica set communication, and database administration. The MongoDB wire protocol on this port is binary-based (BSON) for efficiency.

What is the difference between ports 27017, 27018, and 28017?

Port 27017 is the default mongod port for standalone instances and replica set members. Port 27018 is the default for shard servers (mongod --shardsvr). Port 27019 is for config servers (mongod --configsvr). Port 28017 was the legacy HTTP status interface (removed in MongoDB 3.6). Port 27020 is commonly used for mongos router processes in sharded clusters.

Should port 27017 be exposed to the internet?

No. Port 27017 should never be exposed to the public internet. Over 100,000 MongoDB instances have been compromised because they were publicly accessible without authentication. Always bind MongoDB to localhost or specific private IPs using bindIp, enable authentication, and use firewall rules to restrict access to trusted application servers only.

How do I enable MongoDB authentication on port 27017?

Create an admin user with db.createUser() in the admin database, then enable authentication by adding security.authorization: enabled in mongod.conf (or use the --auth flag). Use SCRAM-SHA-256 for password authentication and x.509 certificates for TLS client authentication. Always create application-specific users with minimal required privileges.

How do I check if port 27017 is open?

Use nmap -sV -p 27017 hostname to scan remotely and detect MongoDB version, mongosh --host hostname --port 27017 to test MongoDB connectivity, ss -tlnp | grep 27017 to check locally on Linux, or Test-NetConnection -ComputerName hostname -Port 27017 in Windows PowerShell.

How do I change MongoDB's default port from 27017?

Set net.port: 27018 in mongod.conf or use the --port flag when starting mongod. Update your firewall rules, connection strings, and replica set configuration to use the new port. While changing the port provides security through obscurity, it should not be your only security measure — always enable authentication and TLS.

🔍 Check Your IP Address

While you're here, find out your public IP address, location, and ISP details instantly.

Check My IP →